New Mac malware poses as PDF doc

Security firms have warned Mac users of a new Trojan horse that masquerades as a PDF document.

Security firms today have Mac users of a new Trojan horse that masquerades as a PDF document.

The malware, which was spotted by UK-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.

"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," F-Secure said.

That practice relies on what is called the "double extension" trick: adding the characters ".pdf" to the filename to disguise an executable file.

The Mac malware uses a two-step process, composed of a Trojan "dropper" utility that downloads a second element, a Trojan "backdoor" that then connects to a remote server controlled by the attacker, using that communications channel to send information gleaned from the infected Mac and receiving additional instructions from the hacker.

Because it doesn't exploit a vulnerability in Mac OS X -- or any other software -- the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.

Once run, the dropper downloads the second-stage backdoor and opens a Chinese-language PDF. F-Secure said that the PDF was another sleight-of-hand trick: "[The dropper component] drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occurring," the company said in a description of the attack.

Both Sophos and F-Secure noted that the malware doesn't work reliably, and currently can't connect to the command-and-control (C&C) server because the latter isn't fully functional.

Mac malware is typically crude in comparison with what targets Windows PCs.

Because the C&C server is not yet operational and since it found samples of the Trojans on VirusTotal -- a free service that runs malware against a host of antivirus engines -- F-Secure speculated that the malware is still in the testing phase.

Although Apple's Mac OS X includes a bare-bones antivirus detector, it has not been updated to detect the just-noticed Trojan dropper or backdoor. Checks of several Computerworld Macs running Lion, for instance, found that Apple last updated its detector on Aug. 9.